A plaintiff called Seth Shapiro is suing telco giant AT&T (NYSE:T) for its role in allegedly allowing hackers to access his cellphone on four occasions and enable the theft of $1.8 million USD in cryptocurrencies from his crypto exchange accounts.
SIM-swapping is a type of hack in which cybercriminals arrange with a telco employee to swap out the SIM-card in a target’s phone with one they control.
This can be accomplished by impersonating the target or via a criminal conspiracy with an employee at the telco.
Once the a target’s phone has been taken over by hackers, apps and information therein, including the phone’s two-factor authenticator, can be used to open the individual’s cryptocurrency accounts.
Shapiro’s lawyers say information stolen from their client’s phone allowed hackers to access and empty his accounts on several crypto exchanges.
SIM-swap hacks reveal a major security failing at telcos, Shapiro’s lawyers argue:
“Tens of millions of subscribers entrust AT&T with access to their confidential information, including information that can serve as a key to unlock subscribers’ highly sensitive personal and financial information.”
…and cast doubt on the company’s promise to, “‘protect [customers’] privacy and keep personal information safe,’” the lawyers write.
According to the Santa Clara, California-based REACT Task Force, a law enforcement unit dedicated to fighting cybercrime, employee collusion is increasingly a factor in SIM-swap crimes.
Shapiro’s lawyers claim:
“(N)ot only did AT&T employees access his account and authorize changes to that account without Mr. Shapiro’s consent, but its employees actively profited from this unauthorized access by knowingly giving control over his phone number to hackers for the purposes of robbing him.”
Shapiro’s lawyers also claim they possess chat logs documenting AT&T employees and hackers bragging about the take and discussing how Shapiro’s stolen cryptocurrencies could be dispersed.
Shapiro’s lawyers also say AT&T sacrificed cybersecurity in order to focus on a “buying spree” of corporate acquisitions.
Crypto investor Michael Terpin is also suing AT&T for $224 million USD based on his claims that the company failed to prevent a SIM-swap hack against him that allowed cyber thieves to steal $24 million USD in crypto tokens from his online wallets.
Storing cryptocurrencies or tokens in “hot wallet” accounts accessible to the Internet, including exchange accounts, is generally not regarded as a best practice.
Use of “cold wallets” (offline hardware devices that resemble thumb drives) is advised. Hacks of crypto accounts, hot wallets and even cold wallet software are not uncommon.
Despite the risks, some crypto traders store crypto online in order to allow for quick trades.
AT&T has been contacted to comment on the case and any comments will be appended.